Fix nonce ignoring

modules/ppcp-axo/src/Gateway/AxoGateway.php

@@ -264,9 +264,9 @@ class AxoGateway extends WC_Payment_Gateway {
 			);
 		}
 
-		// phpcs:ignore WordPress.Security.NonceVerification.Missing
-		$axo_nonce = wc_clean( wp_unslash( $_POST['axo_nonce'] ?? '' ) );
-		// phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		// phpcs:disable WordPress.Security.NonceVerification
+
+		$axo_nonce   = wc_clean( wp_unslash( $_POST['axo_nonce'] ?? '' ) );
 		$token_param = wc_clean( wp_unslash( $_GET['token'] ?? '' ) );
 
 		if ( empty( $axo_nonce ) && ! empty( $token_param ) ) {
@@ -274,7 +274,6 @@ class AxoGateway extends WC_Payment_Gateway {
 		}
 
 		try {
-			// phpcs:ignore WordPress.Security.NonceVerification.Missing
 			$fastlane_member = wc_clean( wp_unslash( $_POST['fastlane_member'] ?? '' ) );
 			if ( $fastlane_member ) {
 				$payment_method_title = __( 'Debit & Credit Cards (via Fastlane by PayPal)', 'woocommerce-paypal-payments' );
@@ -341,6 +340,7 @@ class AxoGateway extends WC_Payment_Gateway {
 			'result'   => 'success',
 			'redirect' => $this->get_return_url( $wc_order ),
 		);
+		// phpcs:enable WordPress.Security.NonceVerification
 	}
 
 	/**

modules/ppcp-button/src/Endpoint/CartScriptParamsEndpoint.php

@@ -76,7 +76,8 @@ class CartScriptParamsEndpoint implements EndpointInterface {
 				wc_maybe_define_constant( 'WOOCOMMERCE_CART', true );
 			}
 
-			$include_shipping = (bool) wc_clean( wp_unslash( $_GET['shipping'] ?? '' ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+			// phpcs:ignore WordPress.Security.NonceVerification.Recommended
+			$include_shipping = (bool) wc_clean( wp_unslash( $_GET['shipping'] ?? '' ) );
 
 			$script_data = $this->smart_button->script_data();
 			if ( ! $script_data ) {

modules/ppcp-button/src/Helper/ContextTrait.php

@@ -301,8 +301,9 @@ trait ContextTrait {
 	 * @return bool
 	 */
 	private function is_subscription_change_payment_method_page(): bool {
-		if ( isset( $_GET['change_payment_method'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification
-			return wcs_is_subscription( wc_clean( wp_unslash( $_GET['change_payment_method'] ) ) ); // phpcs:ignore WordPress.Security.NonceVerification
+		// phpcs:disable WordPress.Security.NonceVerification
+		if ( isset( $_GET['change_payment_method'] ) ) {
+			return wcs_is_subscription( wc_clean( wp_unslash( $_GET['change_payment_method'] ) ) );
 		}
 
 		return false;
@@ -325,12 +326,14 @@ trait ContextTrait {
 	 * @return bool
 	 */
 	protected function is_wc_settings_payments_tab(): bool {
-		if ( ! is_admin() || isset( $_GET['section'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification
+		// phpcs:disable WordPress.Security.NonceVerification
+		if ( ! is_admin() || isset( $_GET['section'] ) ) {
 			return false;
 		}
 
-		$page = wc_clean( wp_unslash( $_GET['page'] ?? '' ) ); // phpcs:ignore WordPress.Security.NonceVerification
-		$tab  = wc_clean( wp_unslash( $_GET['tab'] ?? '' ) ); // phpcs:ignore WordPress.Security.NonceVerification
+		$page = wc_clean( wp_unslash( $_GET['page'] ?? '' ) );
+		$tab  = wc_clean( wp_unslash( $_GET['tab'] ?? '' ) );
+		// phpcs:enable WordPress.Security.NonceVerification
 
 		return $page === 'wc-settings' && $tab === 'checkout';
 	}

modules/ppcp-compat/src/AdminContextTrait.php

@@ -20,7 +20,8 @@ trait AdminContextTrait {
 	 * @return bool
 	 */
 	private function is_paypal_order_edit_page(): bool {
-		$post_id = wc_clean( wp_unslash( $_GET['id'] ?? $_GET['post'] ?? '' ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		// phpcs:ignore WordPress.Security.NonceVerification
+		$post_id = wc_clean( wp_unslash( $_GET['id'] ?? $_GET['post'] ?? '' ) );
 		if ( ! $post_id ) {
 			return false;
 		}

modules/ppcp-compat/src/PPEC/SubscriptionsHandler.php

@@ -150,6 +150,8 @@ class SubscriptionsHandler {
 			return true;
 		}
 
+		// phpcs:disable WordPress.Security.NonceVerification
+
 		// Checks that require Subscriptions.
 		if ( class_exists( \WC_Subscriptions::class ) ) {
 			// My Account > Subscriptions > (Subscription).
@@ -160,15 +162,15 @@ class SubscriptionsHandler {
 			}
 
 			// Changing payment method?
-			if ( is_wc_endpoint_url( 'order-pay' ) && isset( $_GET['change_payment_method'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+			if ( is_wc_endpoint_url( 'order-pay' ) && isset( $_GET['change_payment_method'] ) ) {
 				$subscription = wcs_get_subscription( absint( get_query_var( 'order-pay' ) ) );
 
 				return ( $subscription && PPECHelper::PPEC_GATEWAY_ID === $subscription->get_payment_method() );
 			}
 
 			// Early renew (via modal).
-			if ( isset( $_GET['process_early_renewal'], $_GET['subscription_id'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
-				$subscription = wcs_get_subscription( absint( $_GET['subscription_id'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+			if ( isset( $_GET['process_early_renewal'], $_GET['subscription_id'] ) ) {
+				$subscription = wcs_get_subscription( absint( $_GET['subscription_id'] ) );
 
 				return ( $subscription && PPECHelper::PPEC_GATEWAY_ID === $subscription->get_payment_method() );
 			}
@@ -185,7 +187,6 @@ class SubscriptionsHandler {
 		}
 
 		// Are we editing an order or subscription tied to PPEC?
-		// phpcs:ignore WordPress.Security.NonceVerification
 		$order_id = wc_clean( wp_unslash( $_GET['id'] ?? $_GET['post'] ?? $_POST['post_ID'] ?? '' ) );
 		if ( $order_id ) {
 			$order = wc_get_order( $order_id );
@@ -199,9 +200,7 @@ class SubscriptionsHandler {
 		 * @psalm-suppress UndefinedClass
 		 */
 		$post_type_or_page = class_exists( OrderUtil::class ) && OrderUtil::custom_orders_table_usage_is_enabled()
-			// phpcs:ignore WordPress.Security.NonceVerification
 			? wc_clean( wp_unslash( $_GET['page'] ?? '' ) )
-			// phpcs:ignore WordPress.Security.NonceVerification
 			: wc_clean( wp_unslash( $_GET['post_type'] ?? $_POST['post_type'] ?? '' ) );
 		if ( $post_type_or_page === 'shop_subscription' || $post_type_or_page === 'wc-orders--shop_subscription' ) {
 			return true;

modules/ppcp-order-tracking/src/TrackingAvailabilityTrait.php

@@ -24,7 +24,8 @@ trait TrackingAvailabilityTrait {
 	 * @return bool
 	 */
 	protected function is_tracking_enabled( Bearer $bearer ): bool {
-		$post_id = (int) wc_clean( wp_unslash( $_GET['id'] ?? $_GET['post'] ?? '' ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		// phpcs:ignore WordPress.Security.NonceVerification
+		$post_id = (int) wc_clean( wp_unslash( $_GET['id'] ?? $_GET['post'] ?? '' ) );
 		if ( ! $post_id ) {
 			return false;
 		}

modules/ppcp-paypal-subscriptions/src/PayPalSubscriptionsModule.php

@@ -167,6 +167,7 @@ class PayPalSubscriptionsModule implements ServiceModule, ExtendingModule, Execu
 					return;
 				}
 
+				// phpcs:ignore WordPress.Security.NonceVerification
 				$nonce = wc_clean( wp_unslash( $_POST['_wcsnonce'] ?? '' ) );
 				if (
 					$subscriptions_mode !== 'subscriptions_api'
@@ -250,6 +251,7 @@ class PayPalSubscriptionsModule implements ServiceModule, ExtendingModule, Execu
 			 * @psalm-suppress MissingClosureParamType
 			 */
 			function( $variation_id ) use ( $c ) {
+				// phpcs:ignore WordPress.Security.NonceVerification
 				$wcsnonce_save_variations = wc_clean( wp_unslash( $_POST['_wcsnonce_save_variations'] ?? '' ) );
 
 				if (

modules/ppcp-save-payment-methods/src/SavePaymentMethodsModule.php

@@ -285,7 +285,8 @@ class SavePaymentMethodsModule implements ServiceModule, ExtendingModule, Execut
 								? apply_filters( 'woocommerce_paypal_payments_three_d_secure_contingency', $settings->get( '3d_secure_contingency' ) )
 								: '';
 
-							$change_payment_method = wc_clean( wp_unslash( $_GET['change_payment_method'] ?? '' ) ); // phpcs:ignore WordPress.Security.NonceVerification
+							// phpcs:ignore WordPress.Security.NonceVerification
+							$change_payment_method = wc_clean( wp_unslash( $_GET['change_payment_method'] ?? '' ) );
 
 							wp_localize_script(
 								'ppcp-add-payment-method',

modules/ppcp-vaulting/src/VaultingModule.php

@@ -207,6 +207,7 @@ class VaultingModule implements ServiceModule, ExtendingModule, ExecutableModule
 						return;
 					}
 
+					// phpcs:ignore WordPress.Security.NonceVerification
 					$wpnonce         = wc_clean( wp_unslash( $_REQUEST['_wpnonce'] ?? '' ) );
 					$token_id_string = (string) $token_id;
 					$action          = 'delete-payment-method-' . $token_id_string;

modules/ppcp-wc-gateway/src/Gateway/PayUponInvoice/PayUponInvoiceGateway.php

@@ -247,9 +247,8 @@ class PayUponInvoiceGateway extends WC_Payment_Gateway {
 	 */
 	public function process_payment( $order_id ) {
 		$wc_order = wc_get_order( $order_id );
-		// phpcs:disable WordPress.Security.NonceVerification.Missing
+		// phpcs:disable WordPress.Security.NonceVerification
 		$birth_date = wc_clean( wp_unslash( $_POST['billing_birth_date'] ?? '' ) );
-		// phpcs:disable WordPress.Security.NonceVerification.Recommended
 		$pay_for_order = wc_clean( wp_unslash( $_GET['pay_for_order'] ?? '' ) );
 		if ( 'true' === $pay_for_order ) {
 			if ( ! $this->checkout_helper->validate_birth_date( $birth_date ) ) {
@@ -261,7 +260,7 @@ class PayUponInvoiceGateway extends WC_Payment_Gateway {
 		}
 
 		$phone_number = wc_clean( wp_unslash( $_POST['billing_phone'] ?? '' ) );
-		// phpcs:enable WordPress.Security.NonceVerification.Missing
+		// phpcs:enable WordPress.Security.NonceVerification
 		if ( $phone_number ) {
 			$wc_order->set_billing_phone( $phone_number );
 			$wc_order->save();